Smart speakers powered by Amazon's Alexa assistant might be an entertaining and handy way to set alarms and turn on music, but it's emerged that Alexa has been left vulnerable to serious hacking attacks.

Security researchers from California have discovered several serious vulnerabilities in Amazon's Alexa language assistance system and its networked speakers that could left users exposed to serious attacks.

Smart speakers have been heavily scrutinised by researchers and data privacy activists alike amid concerns about the security of devices with the potential to record private user activity in the home.

"With just one wrong click, users threatened to lose a great deal of personal data or even the history of all voice recordings, i.e. their personal voice profile," Israeli security company Check Point said on Aug 13, after discovering the vulnerabilities from its San Carlos laboratory.

Moreover, the users could have been spied on via Alexa.

An Amazon spokesperson confirmed Check Point's statements and emphasised that the issues have since been solved.

"We appreciate the work of independent researchers like Check Point who bring potential issues to us," Amazon said. "We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems."

Amazon said it was not aware of any cases of the vulnerability "being used against our customers or of any customer information being exposed."

According to Check Point, the vulnerabilities were not on the speakers themselves, but in Amazon's online infrastructure.

For example, certain Amazon and Alexa Internet domains could be attacked with so-called cross site scripting. The researchers were also able to intercept the authorisation key ("CSRF token") and thus execute actions on behalf of the victim.

Using these methods, an attacker could have removed or reinstalled programs ("skills") on a victim's Alexa account. It was also possible to access the Amazon customer's voice history and steal personal information about the user's interactions with individual programs.

"The attack required a single click by the user on a malicious link crafted by the hacker and voice interaction by the victim."

Amazon was quick to patch the vulnerabilities on certain Amazon and Alexa subdomains, Check Point noted. "We hope manufacturers of similar devices will follow Amazon's example and check their products for vulnerabilities that could compromise users' privacy."

Similar security research has already been conducted by Check Point on Tiktok, WhatsApp and Fortnite and has found "alarming results". However, the company did not want to say exactly which vulnerabilities these were.

 - dpa